红帽全球峰会7.2. 对 Red Hat Fuse 应用程序应用补丁
patch-maven-plugin 的目的是,将 Red Hat Fuse BOM 中列出的依赖项版本更新至您要应用到应用程序的补丁元数据中指定的版本。
流程
以下流程解释了如何将补丁应用到您的应用程序。
将
patch-maven-plugin添加到项目的pom.xml文件中。patch-maven-plugin的版本必须与 Fuse BOM 的版本相同。<build> <plugins> <plugin> <groupId>org.jboss.redhat-fuse</groupId> <artifactId>patch-maven-plugin</artifactId> <version>${version.org.jboss-redhat-fuse}</version> <extensions>true</extensions> </plugin> </plugins> </build>当您运行任何
mvn clean deploy或mvn dependency:tree命令时,插件会搜索项目模块,以检查是否使用其中一个 Red Hat Fuse BOM。只有 2 视为受支持的 BOM:-
org.jboss.redhat-fuse:fuse-karaf-bom: 用于 Fuse Karaf BOM -
org.jboss.redhat-fuse:fuse-springboot-bom: for Fuse Spring Boot BOM
-
如果没有找到上述 BOMs,则插件会显示以下信息:
$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Fuse Maven patching ========== [INFO] [PATCH] No project in the reactor uses Fuse Karaf or Fuse Spring Boot BOM. Skipping patch processing. [INFO] [PATCH] Done in 3ms
如果同时找到了 Fuse BOMs,则
patch-maven-plugin会停止并带有以下警告:$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Fuse Maven patching ========== [WARNING] [PATCH] Reactor uses both Fuse Karaf and Fuse Spring Boot BOMs. Please use only one. Skipping patch processing. [INFO] [PATCH] Done in 3ms
patch-maven-plugin尝试获取以下 Maven 元数据值之一。-
对于 Fuse Karaf BOM 的项目,将解决
org.jboss.redhat-fuse/fuse-karaf-patch-metadata/maven-metadata.xml。这是带有org.jboss.redhat-fuse:fuse-karaf-patch-metadata:RELEASE协调的工件的元数据。 对于 Fuse Spring Boot BOM 项目的项目,则已解析
org.jboss.redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml。这是带有org.jboss.redhat-fuse:fuse-springboot-patch-metadata:RELEASE协调的工件的元数据。Maven 生成的元数据示例
<?xml version="1.0" encoding="UTF-8"?> <metadata> <groupId>org.jboss.redhat-fuse</groupId> <artifactId>fuse-springboot-patch-metadata</artifactId> <versioning> <release>7.8.1.fuse-sb2-781025</release> <versions> <version>7.8.0.fuse-sb2-780025</version> <version>7.7.0.fuse-sb2-770010</version> <version>7.7.0.fuse-770010</version> <version>7.8.1.fuse-sb2-781025</version> </versions> <lastUpdated>20201023131724</lastUpdated> </versioning> </metadata>
-
对于 Fuse Karaf BOM 的项目,将解决
-
patch-maven-plugin解析元数据以选择适用于当前项目的版本。这只适用于使用 Fuse BOM 版本 7.8.xxx 的 Maven 项目。只有与版本范围 7.8、7.7 或更高版本匹配的元数据才适用,且只会获取元数据的最新版本。 patch-maven-plugin收集在下载由groupId、artifactId和version标识的补丁元数据时使用的远程 Maven 存储库列表。这些 Maven 存储库是活跃配置集的 <repositories>元素中列出的它们,以及来自settings.xml文件的软件仓库。$ mvn clean install [INFO] Scanning for projects... [INFO] ========== Red Hat Fuse Maven patching ========== [INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories [INFO] [PATCH] - local-nexus: http://everfree.forest:8081/repository/maven-releases/ [INFO] [PATCH] - central: https://repo.maven.apache.org/maven2 Downloading from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml ...
另外,如果您想要使用离线存储库,您可以使用
-Dpatch选项指定由fuse-karaf/fuse-karaf-patch-repository生成的 ZIP 文件,或 fuse-springboot/fuse-springboot模块。这些 ZIP 文件具有与 Maven 存储库结构相同的内部结构。例如,/fuse-springboot-patch-repository$ mvn clean install -Dpatch=../../../test/resources/patch-3.zip [INFO] Scanning for projects... [INFO] ========== Red Hat Fuse Maven patching ========== [INFO] [PATCH] Reading metadata and artifacts from /data/sources/github.com/jboss-fuse/redhat-fuse/fuse-tools/patch-maven-plugin/src/test/resources/patch-3.zip Downloading from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml Downloaded from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml (406 B at 16 kB/s) Downloading from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml Downloaded from fuse-patch: zip:file:/tmp/patch-3.zip-1742974214598205745/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml (926 B at 309 kB/s) [INFO] [PATCH] Resolved patch descriptor: /home/user/.m2/repository/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-781023/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-781023.xml ...
元数据是否来自远程存储库、本地存储库或 ZIP 文件,它由
patch-maven-plugin分析。获取的元数据包含 CVE 以及每个 CVE,我们都有受影响的 Maven 工件(由 glob 模式和版本范围指定)的列表以及包含给定 CVE 修复的版本。例如,<?xml version="1.0" encoding="UTF-8" ?> <metadata xmlns="urn:redhat:fuse:patch-metadata:1"> <product-bom groupId="org.jboss.redhat-fuse" artifactId="fuse-springboot-bom" versions="[7.8,7.9)" /> <cves> <cve id="CVE-2020-xyz" description="Jetty can be configured to listen on port 8080" cve-link="https://nvd.nist.gov/vuln/detail/CVE-2020-xyz" bz-link="https://bugzilla.redhat.com/show_bug.cgi?id=42"> <affects groupId="org.eclipse.jetty" artifactId="jetty-*" versions="[9.4,9.4.32)" fix="9.4.32.v20200930" /> <affects groupId="org.eclipse.jetty.http2" artifactId="http2-*" versions="[9.4,9.4.32)" fix="9.4.32.v20200930" /> </cve> </cves> <fixes /> </metadata>最后,当迭代当前项目中所有管理的依赖关系时,会参考补丁元数据中指定的修复列表。这些与匹配的依赖项(及受管依赖关系)被更改为固定版本。例如:
$ mvn clean install -U [INFO] Scanning for projects... [INFO ========== Red Hat Fuse Maven patching ========== [INFO] [PATCH] Reading patch metadata and artifacts from 2 project repositories [INFO] [PATCH] - local-nexus: http://everfree.forest:8081/repository/maven-releases/ [INFO] [PATCH] - central: https://repo.maven.apache.org/maven2 Downloading from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml Downloading from central: https://repo.maven.apache.org/maven2/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml Downloaded from local-nexus: http://everfree.forest:8081/repository/maven-releases/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/maven-metadata.xml (363 B at 4.3 kB/s) [INFO] [PATCH] Resolved patch descriptor: /home/user/.m2/repository/org/jboss/redhat-fuse/fuse-springboot-patch-metadata/7.8.0.fuse-sb2-780032/fuse-springboot-patch-metadata-7.8.0.fuse-sb2-780032.xml [INFO] [PATCH] Patch metadata found for org.jboss.redhat-fuse/fuse-springboot-bom/[7.8,7.9) [INFO] [PATCH] - patch contains 1 CVE fix [INFO] [PATCH] Processing managed dependencies to apply CVE fixes... (https://nvd.nist.gov/vuln/detail/CVE-2020-xyz, https://bugzilla.redhat.com/show_bug.cgi?id=42_ [INFO] [PATCH] - CVE-2020-xyz: Jetty can be configured to expose itself on port 8080 [INFO] [PATCH] Applying change org.eclipse.jetty/jetty-*/[9.4,9.4.32) -> 9.4.32.v20200930 [INFO] [PATCH] - managed dependency: org.eclipse.jetty/jetty-alpn-client/9.4.30.v20200611 -> 9.4.32.v20200930 ... [INFO] [PATCH] - managed dependency: org.eclipse.jetty/jetty-openid/9.4.30.v20200611 -> 9.4.32.v20200930 [INFO] [PATCH] Applying change org.eclipse.jetty.http2/http2-*/[9.4,9.4.32) -> 9.4.32.v20200930 [INFO] [PATCH] - managed dependency: org.eclipse.jetty.http2/http2-client/9.4.30.v20200611 -> 9.4.32.v20200930 ... [INFO] [PATCH] Done in 635ms =================================================
跳过补丁
如果您不想将特定的补丁应用到项目,则 patch-maven-plugin 提供了一个 跳过 选项。假设您已经将 patch-maven-plugin 添加到项目的 pom.xml 文件,并且您不希望修改版本,您可以使用以下方法之一跳过补丁。
-
将 skip 选项添加到您的项目的
pom.xml文件中,如下所示:
<build>
<plugins>
<plugin>
<groupId>org.jboss.redhat-fuse</groupId>
<artifactId>patch-maven-plugin</artifactId>
<version>${version.org.jboss-redhat-fuse}</version>
<extensions>true</extensions>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>-
或者在运行
mvn命令时使用-DskipPatch选项,如下所示:
$ mvn dependency:tree -DskipPatch [INFO] Scanning for projects... [INFO] [INFO] ------< org.jboss.redhat-fuse:cve-dependency-management-module1 >------- [INFO] Building cve-dependency-management-module1 7.8.0.fuse-sb2-780033 [INFO] --------------------------------[ jar ]--------------------------------- ...
如上方输出中所示,未调用 patch-maven-plugin,这会导致不会应用到应用的补丁。
